| 1 |
On 10/26/2012 10:45 AM, Stan Sander wrote: |
| 2 |
> Probably something I don't have tweaked just right, but a while ago when |
| 3 |
> I tried to sudo it failed. I built this system at least 6 months ago |
| 4 |
> and followed the procedures that were posted at that time, but then |
| 5 |
> wasn't able to work towards putting SELinux in enforcing mode until this |
| 6 |
> past week. |
| 7 |
> |
| 8 |
> sudo: unable to get default type for role sysadm_r |
| 9 |
> sudo: unable to execute /bin/bash: Invalid argument |
| 10 |
> |
| 11 |
> I tried again after running newrole to switch to sysadm_r, but got the |
| 12 |
> same result. |
| 13 |
> |
| 14 |
> The denials in the logs were: |
| 15 |
> |
| 16 |
> Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ; |
| 17 |
> USER=root ; COMMAND=/bin/bash |
| 18 |
> Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened |
| 19 |
> for user root by stan(uid=0) |
| 20 |
> Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410): |
| 21 |
> avc: denied { read } for pid=20130 comm="sudo" name="default_type" |
| 22 |
> dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t |
| 23 |
> tcontext=system_u:object_r:default_context_t tclass=file |
| 24 |
> Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed |
| 25 |
> for user root |
| 26 |
> |
| 27 |
> find / -inum 6717702 |
| 28 |
> /etc/selinux/strict/contexts/default_type |
| 29 |
> |
| 30 |
> I checked and indeed none of the sudo types have permissions for that |
| 31 |
> file and I don't see any booleans to change it either, so what am I missing? |
| 32 |
> |
| 33 |
> sesearch -t default_context_t -c file -ACd |
| 34 |
> Found 19 semantic av rules: |
| 35 |
> allow initrc_t default_context_t : file { ioctl read getattr lock |
| 36 |
> open } ; |
| 37 |
> allow run_init_t default_context_t : file { ioctl read getattr lock |
| 38 |
> open } ; |
| 39 |
> allow useradd_t default_context_t : file { ioctl read getattr lock |
| 40 |
> open } ; |
| 41 |
> allow sysadm_dbusd_t default_context_t : file { ioctl read getattr |
| 42 |
> lock open } ; |
| 43 |
> allow system_dbusd_t default_context_t : file { ioctl read getattr |
| 44 |
> lock open } ; |
| 45 |
> allow sulogin_t default_context_t : file { ioctl read getattr lock |
| 46 |
> open } ; |
| 47 |
> allow staff_dbusd_t default_context_t : file { ioctl read getattr |
| 48 |
> lock open } ; |
| 49 |
> allow local_login_t default_context_t : file { ioctl read getattr |
| 50 |
> lock open } ; |
| 51 |
> allow sysadm_t default_context_t : file { ioctl read getattr lock |
| 52 |
> open } ; |
| 53 |
> allow setfiles_t default_context_t : file { ioctl read getattr lock |
| 54 |
> open } ; |
| 55 |
> allow user_dbusd_t default_context_t : file { ioctl read getattr lock |
| 56 |
> open } ; |
| 57 |
> allow sshd_t default_context_t : file { ioctl read getattr lock open } ; |
| 58 |
> allow semanage_t default_context_t : file { ioctl read write create |
| 59 |
> getattr setattr lock append unlink link rename open } ; |
| 60 |
> allow staff_t default_context_t : file { ioctl read getattr lock open |
| 61 |
> } ; |
| 62 |
> allow newrole_t default_context_t : file { ioctl read getattr lock |
| 63 |
> open } ; |
| 64 |
> allow nscd_t default_context_t : file { ioctl read getattr lock open } ; |
| 65 |
> allow udev_t default_context_t : file { ioctl read getattr lock open } ; |
| 66 |
> allow crond_t default_context_t : file { ioctl read getattr lock open |
| 67 |
> } ; |
| 68 |
> allow user_t default_context_t : file { ioctl read getattr lock open } ; |
| 69 |
> |
| 70 |
|
| 71 |
Can you give us the command you were trying to run (for instance 'sudo |
| 72 |
-r sysadm_r -t sysadm_t repoman manifest') |
| 73 |
|
| 74 |
also, 'rlpkg -a -r' just in case (I know you said you did it, but do it |
| 75 |
again anyway :D |
| 76 |
|
| 77 |
-- |
| 78 |
-- Matthew Thode (prometheanfire) |
Archives